DOCSLIB.ORG

A Simple Power Analysis Attack on the Twofish Key Schedule

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

A Simple Power Analysis Attack on the Twofish Key Schedule Jose Javier Gonzalez Ortiz∗ Kevin J. Compton† University of Michigan University of Michigan November 23, 2016 Abstract This paper introduces an SPA power attack on the 8-bit implementation of the Twofish block cipher. The attack is able to unequivocally recover the secret key even under substantial amounts of error. An initial algorithm is described using exhaustive search on error free data. An error resistant algorithm is later described. It employs several threshold preprocessing stages followed by a combined approach of least mean squares and an optimized Hamming mask search. Further analysis of 32 and 64-bit Twofish implementations reveals that they are similarly vulnerable to the described SPA attack. Keywords: Twofish, SPA, Power Attack, Block Cipher, Error Tolerance 1 Introduction In 1997, the National Institute of Standards and Technology (NIST) started the Advanced Encryption Standard process in order to designate a successor of the aged Digital Encryption Standard (DES). Among the five finalists is the Twofish block cipher, and although in the end Rijndael was designated as the winner of the AES contest, Twofish was one of the strongest contenders, excelling in categories such as general security, hardware performance and design features. After the introduction of linear and differential attacks they became a concern in the design of new ciphers. Thus, the encryption and key schedule algorithms of the submissions were designed to prevent these types of attacks. Nevertheless, arXiv:1611.07109v1 [cs.CR] 22 Nov 2016 among the finalists both AES and Serpent have been found to be susceptible to side-channel attacks. These attacks focus on the information that can be gained from the physical implementation of cryptosystems in especially accessible systems such as smart cards. In 1999 Biham and Shamir [BS99] carried out a preliminary analysis of power attack susceptibility of various AES candidates. They assessed that Twofish Key Schedule had a complex structure and seemed not to reveal direct information on the key bits from Hamming measurements. The results presented in this work refute this assertion since an efficient and robust SPA attack that retrieves the secret key was found. ∗[email protected][email protected] 1 1.1 Previous Work 1 INTRODUCTION We present a side channel attack on the Twofish key schedule which finds the secret key in just one execution of the algorithm. Further analysis of the algorithm and the different existing implementations render all of them vulnerable to this attack, posing a concern for the way 8-bit manipulations are described and performed in the Twofish Key Schedule. We will start by providing a background in the Twofish Block Cipher operation and the formulation of its associated Key Schedule in Section 2. Section 3 describes an attack provided error free data by employing a reduced exhaustive search for each byte of the key. The attack is then incrementally improved in Section 4 to cope with a more than significant amount of measurement error. Section 5 displays the accuracies achieved under varying degrees of error and key size as well as the elapsed times. These results are later analyzed on Section 6 and further work is outlined in Section 7. 1.1 Previous Work Side Channel Attacks were first described in 1996 by Kocher [Koc96] with the introduction of timing attacks, which had the ability of compromising a cryptosystem by analyzing the time taken to execute specific parts of cryptographic algorithms. However, these attacks can be easily overcome by employing simple software countermeasures. Since access to the hardware was one of the assumptions, attacks that used the power consumption of the cryptosystem started developing. The first research power attack is credited to Kocher et al [KJJ99], in which they were able to obtain information of the data manipulated by the processor by carefully measuring the power consumption of a CMOS chip. In his work, two different types of power attacks are described: • Differential Power Attacks (DPA) – In an analogous fashion to classical differential cryptanalysis, DPAs try to find patterns and relationships between plaintexts and their associated power traces. Similarly, a large amount of samples are required for the results to convey statistical significance. • Simple Power Attacks (SPA) – An SPA focuses in particular vulnerabilities of the algorithm design. These vulnerabilities could leak enough sensitive information to compromise the confidentiality of the encryption or even the secret key itself. Since microprocessors perform discrete operations on blocks of data in a sequential fashion, physical imperfections of the system make possible to correlate the Hamming weights of the manipulated values and the power utilization. Research has proved that this correlation is significant enough to find Hamming weights of numerous intermediate variables from the power utilization, as shown in the works of [MDS02] and [MS00]. The concern of these types of attacks has lead to a number of research efforts [Mes01], [MOP07] to thwart them by masquerading the power consumption values in order to break the correlation that Power Attack use as a basis to acquire information. Nevertheless, they are still far from being industry standards and most modern smartcards and ASICs do not yet include mechanisms like those ones by default. Thus, for the purpose of this paper said techniques have not been considered. Recent research efforts have shown that both Rijndael [VBC05] and Serpent [CTV09] key schedules are susceptible to Simple Power Attacks. Both attacks used a power trace of the algorithm to unequivocally 2 2 TWOFISH BLOCK CIPHER recover the secret key used in the encryption. In both cases the weakness arose from the key schedule computation; patterns in the hamming weights of the key schedule algorithm revealed enough informa- tion to compromise the secret key. Twofish’s key schedule follows different principles and constructions to generate the necessary subkeys but it is nonetheless susceptible to this type of attack as this paper demonstrates. Even though Twofish smart-card implementation performance and versatility have been thoroughly analyzed [Kea99], [RHW11], no power attacks have been found for the encryption algorithm or the key schedule. Nevertheless, analysis on the key schedule such as [MM99] have outlined some deficiencies and weaknesses in the cipher. 2 Twofish Block Cipher Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest. It was submitted by Schneier et al. [SKW+98]. Twofish features pre-computed key-dependent S-boxes, and a relatively complex key schedule. One half of an n-bit key is used as the actual encryption key and the other half of the n-bit key is used to modify the encryption algorithm. Twofish borrows some elements from other designs such as a Feistel structure from DES or the pseudo-Hadamard transform [STM10] from the SAFER family of ciphers [Mas94]. This section will briefly introduce the encryption scheme and key schedule in the Twofish block cipher following the notation and terminology from [SKW+98]. 2.1 The Twofish Encryption Algorithm The Twofish encryption is a 16 round Feistel Network with both input and output whitening. Each round operates only in the higher 64 bits of the block and swaps both halves. A total of 40 subkeys are generated from the secret key, with each key being 32 bits. Keys K0 ... K3 are used for the input whitening, K4 ... K7 are used for the output whitening and K8 ... K39 are used as the round subkeys. Each round employs a function F which is a key-dependent permutation on 64-bit values. The function F splits the 64-bit string into two 32-bit substrings and applies the g function to each half. The function g applies a fixed number of S-box substitutions and XORs with parts of the secret key (the number of steps this is performed depends on the size of the key). This is followed by a MDS (Maximum Distance Separable) Matrix transform, a Pseudo-Hadamard Transform and round key XOR with the two subkeys associated for that said round. Therefore each round r uses two subkeys as round key, namely K2r+8 and K2r+9. Finally, the output is XORed with one half of the block following the Feistel Network scheme. Bit wise rotations and shifts are performed at strategic points in the encryption to maximize diffusion. They have been omitted to simplify the explanation. The algorithm can be visualized in Figure 2.1 3 2.1 The Twofish Encryption Algorithm 2 TWOFISH BLOCK CIPHER Plaintext (128 bit) K0 K1 K2 K3 Input whitening g <<<1 S-box 0 MDS PHT K2r+8 S-box 1 S-box 2 S-box 3 g One round S-box 0 MDS S-box 1 <<<8 S-box 2 K S-box 3 2r+9 >>>1 ... 15 more rounds Undo last swap K K 4 5 K6 K7 Output whitening Ciphertext (128 bits) Legend Exclusive-or Addition modulo 2 32 <<< Rotation Figure 2.1: Twofish algorithm 4 2 TWOFISH BLOCK CIPHER 2.2 The Twofish Key Schedule 2.2 The Twofish Key Schedule The key schedule has to provide 40 32-bit words of expanded key K0, ... , K39. Twofish is defined for sizes N = f128, 192, 256g. Keys shorter can be padded with zeros to the next larger key length. The key is split into 2R 32-bit words K = (M0, M1,... M2R−1) where R = N/64. To generate each sub-key all the bits in the secret key are employed. The secret key is also employed to derive the vector S = (SR−1, SR−2, ... , S0) which is obtained by applying a Reed Solomon Transformation to the key.
Recommended publications
  • Improved Rectangle Attacks on SKINNY and CRAFT

    Improved Rectangle Attacks on SKINNY and CRAFT

    Improved Rectangle Attacks on SKINNY and CRAFT Hosein Hadipour1, Nasour Bagheri2 and Ling Song3( ) 1 Department of Mathematics and Computer Science, University of Tehran, Tehran, Iran, [email protected] 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran, [email protected] 3 Jinan University, Guangzhou, China [email protected] Abstract. The boomerang and rectangle attacks are adaptions of differential crypt- analysis that regard the target cipher E as a composition of two sub-ciphers, i.e., 2 2 E = E1 ◦ E0, to construct a distinguisher for E with probability p q by concatenat- ing two short differential trails for E0 and E1 with probability p and q respectively. According to the previous research, the dependency between these two differential characteristics has a great impact on the probability of boomerang and rectangle distinguishers. Dunkelman et al. proposed the sandwich attack to formalise such dependency that regards E as three parts, i.e., E = E1 ◦ Em ◦ E0, where Em contains the dependency between two differential trails, satisfying some differential propagation with probability r. Accordingly, the entire probability is p2q2r. Recently, Song et al. have proposed a general framework to identify the actual boundaries of Em and systematically evaluate the probability of Em with any number of rounds, and applied their method to accurately evaluate the probabilities of the best SKINNY’s boomerang distinguishers. In this paper, using a more advanced method to search for boomerang distinguishers, we show that the best previous boomerang distinguishers for SKINNY can be significantly improved in terms of probability and number of rounds.
  • Investigating Profiled Side-Channel Attacks Against the DES Key

    Investigating Profiled Side-Channel Attacks Against the DES Key

    IACR Transactions on Cryptographic Hardware and Embedded Systems ISSN 2569-2925, Vol. 2020, No. 3, pp. 22–72. DOI:10.13154/tches.v2020.i3.22-72 Investigating Profiled Side-Channel Attacks Against the DES Key Schedule Johann Heyszl1[0000−0002−8425−3114], Katja Miller1, Florian Unterstein1[0000−0002−8384−2021], Marc Schink1, Alexander Wagner1, Horst Gieser2, Sven Freud3, Tobias Damm3[0000−0003−3221−7207], Dominik Klein3[0000−0001−8174−7445] and Dennis Kügler3 1 Fraunhofer Institute for Applied and Integrated Security (AISEC), Germany, [email protected] 2 Fraunhofer Research Institution for Microsystems and Solid State Technologies (EMFT), Germany, [email protected] 3 Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany, [email protected] Abstract. Recent publications describe profiled single trace side-channel attacks (SCAs) against the DES key-schedule of a “commercially available security controller”. They report a significant reduction of the average remaining entropy of cryptographic keys after the attack, with surprisingly large, key-dependent variations of attack results, and individual cases with remaining key entropies as low as a few bits. Unfortunately, they leave important questions unanswered: Are the reported wide distributions of results plausible - can this be explained? Are the results device- specific or more generally applicable to other devices? What is the actual impact on the security of 3-key triple DES? We systematically answer those and several other questions by analyzing two commercial security controllers and a general purpose microcontroller. We observe a significant overall reduction and, importantly, also observe a large key-dependent variation in single DES key security levels, i.e.
  • Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation

    Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation

    cryptography Article Hardware Performance Evaluation of Authenticated Encryption SAEAES with Threshold Implementation Takeshi Sugawara Department of Informatics, The University of Electro-Communications, Tokyo 182-8585, Japan; [email protected] Received: 30 June 2020; Accepted: 5 August 2020; Published: 9 August 2020 Abstract: SAEAES is the authenticated encryption algorithm instantiated by combining the SAEB mode of operation with AES, and a candidate of the NIST’s lightweight cryptography competition. Using AES gives the advantage of backward compatibility with the existing accelerators and coprocessors that the industry has invested in so far. Still, the newer lightweight block cipher (e.g., GIFT) outperforms AES in compact implementation, especially with the side-channel attack countermeasure such as threshold implementation. This paper aims to implement the first threshold implementation of SAEAES and evaluate the cost we are trading with the backward compatibility. We design a new circuit architecture using the column-oriented serialization based on the recent 3-share and uniform threshold implementation (TI) of the AES S-box based on the generalized changing of the guards. Our design uses 18,288 GE with AES’s occupation reaching 97% of the total area. Meanwhile, the circuit area is roughly three times the conventional SAEB-GIFT implementation (6229 GE) because of a large memory size needed for the AES’s non-linear key schedule and the extended states for satisfying uniformity in TI. Keywords: threshold implementation; SAEAES; authenticated encryption, side-channel attack; changing of the guards; lightweight cryptography; implementation 1. Introduction There is an increasing demand for secure data communication between embedded devices in many areas, including automotive, industrial, and smart-home applications.
  • Impossible Differentials in Twofish

    Impossible Differentials in Twofish

    Twofish Technical Report #5 Impossible differentials in Twofish Niels Ferguson∗ October 19, 1999 Abstract We show how an impossible-differential attack, first applied to DEAL by Knudsen, can be applied to Twofish. This attack breaks six rounds of the 256-bit key version using 2256 steps; it cannot be extended to seven or more Twofish rounds. Keywords: Twofish, cryptography, cryptanalysis, impossible differential, block cipher, AES. Current web site: http://www.counterpane.com/twofish.html 1 Introduction 2.1 Twofish as a pure Feistel cipher Twofish is one of the finalists for the AES [SKW+98, As mentioned in [SKW+98, section 7.9] and SKW+99]. In [Knu98a, Knu98b] Lars Knudsen used [SKW+99, section 7.9.3] we can rewrite Twofish to a 5-round impossible differential to attack DEAL. be a pure Feistel cipher. We will demonstrate how Eli Biham, Alex Biryukov, and Adi Shamir gave the this is done. The main idea is to save up all the ro- technique the name of `impossible differential', and tations until just before the output whitening, and applied it with great success to Skipjack [BBS99]. apply them there. We will use primes to denote the In this report we show how Knudsen's attack can values in our new representation. We start with the be applied to Twofish. We use the notation from round values: [SKW+98] and [SKW+99]; readers not familiar with R0 = ROL(Rr;0; (r + 1)=2 ) the notation should consult one of these references. r;0 b c R0 = ROR(Rr;1; (r + 1)=2 ) r;1 b c R0 = ROL(Rr;2; r=2 ) 2 The attack r;2 b c R0 = ROR(Rr;3; r=2 ) r;3 b c Knudsen's 5-round impossible differential works for To get the same output we update the rule to com- any Feistel cipher where the round function is in- pute the output whitening.
  • Hash Functions and the (Amplified) Boomerang Attack

    Hash Functions and the (Amplified) Boomerang Attack

    Hash Functions and the (Amplified) Boomerang Attack Antoine Joux1,3 and Thomas Peyrin2,3 1 DGA 2 France T´el´ecomR&D [email protected] 3 Universit´ede Versailles Saint-Quentin-en-Yvelines [email protected] Abstract. Since Crypto 2004, hash functions have been the target of many at- tacks which showed that several well-known functions such as SHA-0 or MD5 can no longer be considered secure collision free hash functions. These attacks use classical cryptographic techniques from block cipher analysis such as differential cryptanal- ysis together with some specific methods. Among those, we can cite the neutral bits of Biham and Chen or the message modification techniques of Wang et al. In this paper, we show that another tool of block cipher analysis, the boomerang attack, can also be used in this context. In particular, we show that using this boomerang attack as a neutral bits tool, it becomes possible to lower the complexity of the attacks on SHA-1. Key words: hash functions, boomerang attack, SHA-1. 1 Introduction The most famous design principle for dedicated hash functions is indisputably the MD-SHA family, firstly introduced by R. Rivest with MD4 [16] in 1990 and its improved version MD5 [15] in 1991. Two years after, the NIST publishes [12] a very similar hash function, SHA-0, that will be patched [13] in 1995 to give birth to SHA-1. This family is still very active, as NIST recently proposed [14] a 256-bit new version SHA-256 in order to anticipate the potential cryptanalysis results and also to increase its security with regard to the fast growth of the computation power.
  • Simple Substitution and Caesar Ciphers

    Simple Substitution and Caesar Ciphers

    Spring 2015 Chris Christensen MAT/CSC 483 Simple Substitution Ciphers The art of writing secret messages – intelligible to those who are in possession of the key and unintelligible to all others – has been studied for centuries. The usefulness of such messages, especially in time of war, is obvious; on the other hand, their solution may be a matter of great importance to those from whom the key is concealed. But the romance connected with the subject, the not uncommon desire to discover a secret, and the implied challenge to the ingenuity of all from who it is hidden have attracted to the subject the attention of many to whom its utility is a matter of indifference. Abraham Sinkov In Mathematical Recreations & Essays By W.W. Rouse Ball and H.S.M. Coxeter, c. 1938 We begin our study of cryptology from the romantic point of view – the point of view of someone who has the “not uncommon desire to discover a secret” and someone who takes up the “implied challenged to the ingenuity” that is tossed down by secret writing. We begin with one of the most common classical ciphers: simple substitution. A simple substitution cipher is a method of concealment that replaces each letter of a plaintext message with another letter. Here is the key to a simple substitution cipher: Plaintext letters: abcdefghijklmnopqrstuvwxyz Ciphertext letters: EKMFLGDQVZNTOWYHXUSPAIBRCJ The key gives the correspondence between a plaintext letter and its replacement ciphertext letter. (It is traditional to use small letters for plaintext and capital letters, or small capital letters, for ciphertext. We will not use small capital letters for ciphertext so that plaintext and ciphertext letters will line up vertically.) Using this key, every plaintext letter a would be replaced by ciphertext E, every plaintext letter e by L, etc.
  • Known and Chosen Key Differential Distinguishers for Block Ciphers

    Known and Chosen Key Differential Distinguishers for Block Ciphers

    Known and Chosen Key Differential Distinguishers for Block Ciphers Ivica Nikoli´c1?, Josef Pieprzyk2, Przemys law Soko lowski2;3, Ron Steinfeld2 1 University of Luxembourg, Luxembourg 2 Macquarie University, Australia 3 Adam Mickiewicz University, Poland [email protected], [email protected], [email protected], [email protected] Abstract. In this paper we investigate the differential properties of block ciphers in hash function modes of operation. First we show the impact of differential trails for block ciphers on collision attacks for various hash function constructions based on block ciphers. Further, we prove the lower bound for finding a pair that follows some truncated differential in case of a random permutation. Then we present open-key differential distinguishers for some well known round-reduced block ciphers. Keywords: Block cipher, differential attack, open-key distinguisher, Crypton, Hierocrypt, SAFER++, Square. 1 Introduction Block ciphers play an important role in symmetric cryptography providing the basic tool for encryp- tion. They are the oldest and most scrutinized cryptographic tool. Consequently, they are the most trusted cryptographic algorithms that are often used as the underlying tool to construct other cryp- tographic algorithms. One such application of block ciphers is for building compression functions for the hash functions. There are many constructions (also called hash function modes) for turning a block cipher into a compression function. Probably the most popular is the well-known Davies-Meyer mode. Preneel et al. in [27] have considered all possible modes that can be defined for a single application of n-bit block cipher in order to produce an n-bit compression function.
  • Boomerang Analysis Method Based on Block Cipher

    Boomerang Analysis Method Based on Block Cipher

    International Journal of Security and Its Application Vol.11, No.1 (2017), pp.165-178 http://dx.doi.org/10.14257/ijsia.2017.11.1.14 Boomerang Analysis Method Based on Block Cipher Fan Aiwan and Yang Zhaofeng Computer School, Pingdingshan University, Pingdingshan, 467002 Henan province, China { Fan Aiwan} [email protected] Abstract This paper fused together the related key analysis and differential analysis and did multiple rounds of attack analysis for the DES block cipher. On the basis of deep analysis of Boomerang algorithm principle, combined with the characteristics of the key arrangement of the DES block cipher, the 8 round DES attack experiment and the 9 round DES attack experiment were designed based on the Boomerang algorithm. The experimental results show that, after the design of this paper, the value of calculation complexity of DES block cipher is only 240 and the analysis performance is greatly improved by the method of Boomerang attack. Keywords: block cipher, DES, Boomerang, Computational complexity 1. Introduction With the advent of the information society, especially the extensive application of the Internet to break the traditional limitations of time and space, which brings great convenience to people. However, at the same time, a large amount of sensitive information is transmitted through the channel or computer network, especially the rapid development of e-commerce and e-government, more and more personal information such as bank accounts require strict confidentiality, how to guarantee the security of information is particularly important [1-2]. The essence of information security is to protect the information system or the information resources in the information network from various types of threats, interference and destruction, that is, to ensure the security of information [3].
  • On the Decorrelated Fast Cipher (DFC) and Its Theory

    On the Decorrelated Fast Cipher (DFC) and Its Theory

    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
  • Report on the AES Candidates

    Report on the AES Candidates

    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
  • Development of the Advanced Encryption Standard

    Development of the Advanced Encryption Standard

    Volume 126, Article No. 126024 (2021) https://doi.org/10.6028/jres.126.024 Journal of Research of the National Institute of Standards and Technology Development of the Advanced Encryption Standard Miles E. Smid Formerly: Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899, USA [email protected] Strong cryptographic algorithms are essential for the protection of stored and transmitted data throughout the world. This publication discusses the development of Federal Information Processing Standards Publication (FIPS) 197, which specifies a cryptographic algorithm known as the Advanced Encryption Standard (AES). The AES was the result of a cooperative multiyear effort involving the U.S. government, industry, and the academic community. Several difficult problems that had to be resolved during the standard’s development are discussed, and the eventual solutions are presented. The author writes from his viewpoint as former leader of the Security Technology Group and later as acting director of the Computer Security Division at the National Institute of Standards and Technology, where he was responsible for the AES development. Key words: Advanced Encryption Standard (AES); consensus process; cryptography; Data Encryption Standard (DES); security requirements, SKIPJACK. Accepted: June 18, 2021 Published: August 16, 2021; Current Version: August 23, 2021 This article was sponsored by James Foti, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST). The views expressed represent those of the author and not necessarily those of NIST. https://doi.org/10.6028/jres.126.024 1. Introduction In the late 1990s, the National Institute of Standards and Technology (NIST) was about to decide if it was going to specify a new cryptographic algorithm standard for the protection of U.S.
  • Rotational Cryptanalysis of ARX

    Rotational Cryptanalysis of ARX

    Rotational Cryptanalysis of ARX Dmitry Khovratovich and Ivica Nikoli´c University of Luxembourg [email protected], [email protected] Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations. Keywords: ARX, cryptanalysis, rotational cryptanalysis. 1 Introduction A huge number of symmetric primitives using modular additions, bitwise XORs, and intraword rotations have appeared in the last 20 years. The most famous are the hash functions from MD-family (MD4, MD5) and their descendants SHA-x. While modular addition is often approximated with XOR, for random inputs these operations are quite different. Addition provides diffusion and nonlinearity, while XOR does not. Although the diffusion is relatively slow, it is compensated by a low price of addition in both software and hardware, so primitives with relatively high number of additions (tens per byte) are still fast. The intraword rotation removes disbalance between left and right bits (introduced by the ad- dition) and speeds up the diffusion. Many recently design primitives use only XOR, addition, and rotation so they are grouped into a single family ARX (Addition-Rotation-XOR).